Data Diode

Check source code

A data diode (also referred to as a unidirectional network) is a network device, assimilated to a network security layer, allowing data to travel only in one direction by isolating and protecting networks from external cyber-threats. The travel can be achieved from the "low side" (untrusted network) to the "high side" (trusted network), or viceversa.

In the first case, data in the high side network is kept confidential: the high side can receive data from the low side, but no data on the high side can leak to the low side. In the second case, data can be emitted by the system at the high side to the low side network, while the system and data located at the high side remains protected from any modification from the low side network, thus protecting integrity.

The purpose of a data diode is thus to:

  • ensure network security by segmenting the network between a high side and a low side,
  • provide data availability and ensure the reliability of the provided data.

Implementation

At the difference of using firewalls to force a unidirectional traffic, in a data diode the unidirectional connection is physical. Also, those firewalls need complex rules,a heavy configuration and lots of maintenance whilst the data diode has only one rule guaranteed by its physical connection. Hence the connection remains unidirectional even if both the low and the high networks are compromised.

This is usually achieved using a modified fiber-optic network link, where send and receive transceivers are removed or disconnected for one direction, like on the example below.

This kind of simple data diode can only transmit packets received on the RJ45 interface. Hence it is only useful if used with a switch that performs data mirroring.

Most data diodes are therefore built using two additional servers (one at each end of the diode). These servers allow to:

  • address the data diode using an IP address,
  • perform routing of UDP streams,
  • ensure data reliability,
  • provide additional services like file transfer.

In practice, those servers can run on minimalist computer devices like a Raspberry PI. That way, the whole data diode can be presented as a compact single box.

Applications

Data diodes can be used for multiple purposes:

  • collect, analyze and store monitoring data (syslog, logstash) in a secured environment;
  • transfer files (from High to low or Low to high);
  • transfer application and operating system updates to a secured network;
  • monitor multiple networks in a SOC;
  • allow time synchronization in a secured network;
  • streaming (surveillance) video (from High to low or Low to High);
  • send or receive alerts or alarms;
  • send or receive emails;
  • collect the results of an electronic voting system.

This technology is usually used by military domains and power generation infrastructures.

Technical challenges

Far-End Fault

FEF is a part of the IEEE 802.3u standard (Fast Ethernet). When a media converter stops receiving a signal, it will stop emitting as well, thus bringing the connection down in both directions and notifying the end-users that the connection is disabled. This feature is present on most media converters. Some of them allow the FEF to be disabled. For a data diode built with two media converters using the FEF, one of them do not receive any signal (see figure below) and is consequently unable to emit. The solution to this issue is to add a third media converter and connect it to the other media converters.

TCP ACK

The data diode allowing only unidirectional traffic, ACK packets cannot be received. The network protocol that must be used is thus the UDP protocol instead of the TCP protocol. Higher level network protocols must therefore be based on UDP and work in a unidirectional way too.

ARP

This protocol needs the receiving-end to be able to answer to the ARP requests from the emitting-end. But the ARP broadcasted request cannot be answered in a network that implements a data diode. Static ARP entries must be configured to overcome this issue.

Features

For this project we implemented a data diode in order to study the capabilities of such devices.

Our data diode offers:

  • easy configuration through a web interface;
  • File transfer through the web interface;
  • File transfer using a FTP server at both sides of the data diode;
  • APT repository mirroring;
  • Python (PIP) repository mirroring;
  • routing of UDP streams.

Check source code